+
EDITOR’S QUESTION
JONATHAN KNUDSEN, SENIOR
SECURITY STRATEGIST AT SYNOPSYS
/////////////////
I
t was more than six years ago that the Defense Advanced
Research Project Agency (DARPA), a research and development
arm of the Department of Defense (DoD), issued a ‘broad
agency announcement’ seeking research proposals for developing
biometric authentication through analysis of various activities and
behaviours – keystroke patterns, mouse use, sentence structure
and use of language – that add up to what the agency calls a
‘cognitive fingerprint’.
Those mechanisms go beyond ‘something you know’ (the password)
and ‘something you have’ (a token or wearable) to enhanced
‘something you are’ biometric authentication (fingerprint, voice,
face, retina). Implemented correctly, a user’s biometric measures are
stored only on the user’s device. Passwords are ‘shared secrets’ that
reside on both the device and on a server that, as we all know, can
get hacked in various ways. To compromise biometric authentication,
an attacker would need physical access to the device.
But between now and when passwords really do become as rare
as phone booths, be sure to use a password manager, which holds
all your passwords in a ‘container’ locked by a master key that only
the user knows. That means all you have to do is create one really
complex password that you can remember.
The manager will also help you create unique
passwords for new websites or apps.
Passwords are convenient for software
creators but hard for humans to use
correctly. Being human, we want to use the
same password for every service, which is a
terrible idea. We want to use passwords that
are easy to remember, which is a terrible
idea. We see passwords as a hurdle that
must be jumped before we can actually start
getting work done.
Authentication, or proving identity, is
always based on something you know,
something you have, or something you are.
www.intelligentcio.com
Multi-factor authentication combines these. For example, a website
might require you to supply a password (something you know) and
also send a text message to your phone (something you have).
Some apps these days will also rely on a
fingerprint (something you are).
“
WE WANT TO
USE PASSWORDS
THAT ARE EASY
TO REMEMBER,
WHICH IS A
TERRIBLE IDEA.
Passwords are definitely on the decline, as
fingerprint sensors become widespread
in smartphones, a variety of USB
authentication devices (something you
have) are available, and smartcards now
function as a physical manifestation of a
private cryptographic key. These newer
authentication methods will be easier for
humans to use correctly, as the concept of
the security of a USB device, a smartcard, or
a fingerprint is much easier to understand
than the problem of remembering a
password, or knowing how to pick a
password that is hard to guess. n
INTELLIGENTCIO
37